On 10 July, the European Commission adopted a new decision to declare the level of data protection offered by the United States equivalent to that of the European Union.
In other words, from 11 July 2023, the transfer of personal data from the European Union to US companies and public administrations participating in the so-called “EU-U.S. Data Privacy Framework” is once again permitted without the requirement of any additional compliance or safeguards (e.g., Standard Contractual Clauses) among those currently provided for in Regulation (EU) 2016/679 – GDPR.
The Decision represents an important milestone in the area of personal data transfers between the European Union and the United States. Indeed, it not only closes – hopefully not only temporarily – three years of discussions with the US government, but overcomes the regime of uncertainty generated by new binding safeguards introduced to address the points raised by the Court of Justice of the European Union in its 16 July 2020 decision C-311/18 (Schrems II). Additionally, the new obligations are intended to ensure that US intelligence agencies can only access data to the extent necessary and proportionate.
Indeed, in Schrems II Judgment, the Court of Justice of the European Union had ruled invalidating the 2016 Privacy Shield adequacy decision regarding the data transfer regime between the European Union and the United States.
That being said, certain precautions must be taken into account by companies before relying fully on the new framework.
What to do before transferring personal data to the US
Adherence to the new Framework is based on a certification mechanism through which US companies, by means of a self-certification validated by the Department of Commerce (DoC), undertake to comply with certain principles and obligations that have always been considered cardinal for the European Union in matters of personal data protection (e.g., transparency, purpose limitation, accountability, etc.).
Therefore, in order to transfer personal data to the United States without further requirements or guarantees (e.g., to a service provider acting as data controller), it is necessary to verify that the recipient is among the certified organisations included in the so-called “Data Privacy Framework List”.
The List, prepared and updated by the DoC contains the references of all those companies that have passed or renewed (due to the annual obligation) the certification process. In addition, for the greater protection of European companies, it is also possible to consult the register of organisations removed from the DPF List.
In addition to the verification of the Data Privacy Framework List, it is also advisable to consider from the outset the privacy organisation’s document review of everything related and referring to transfers of personal data to the United States. One might think, for example, of privacy policies or the register of processing activities, or even, because of the subsequent accession to the Framework, of the necessary review of transfer agreements already entered into with certain American companies (e.g., data transfer agreements).
What to prepare in the case of transfers of personal data to American companies that do not adhere to the Data Privacy Framework
In view of the consequences and burdens arising from inclusion in the Framework (e.g., subjection to the powers of the Federal Trade Commission of the Department of Transportation, etc.), it is certainly likely, however, that some transfers of personal data to the United States may not fall within the scope of the Decision, due, for example, to the non-adherence of certain American companies.
In that case, the provisions and requirements that, following Schrems II, were required to transfer personal data to the United States would continue to apply. In particular, it is first of all necessary:
- To adopt one of the guarantee mechanisms provided for by the GDPR (e.g., Standard Contractual Clauses, Binding Corporate Rules, etc.);
- To verify – through a Transfer Impact Assessment (TIA) – that an adequate level of protection of personal data, data subjects and their rights is ensured.
Other relevant aspects of the Decision
In addition to what concerns the adherence of American companies to the Framework and, consequently, to the evaluations referred to European companies, it is also worth considering the further principles and forecasts that have been introduced by the Decision to guarantee the conformity of the transfers of personal data to the requests of the CJEU and to the level of protection of the European Union.
In particular, the CJEU established that:
- US public authorities and intelligence services may only access personal data that are necessary and proportionate for the purposes pursued (e.g., prosecution of federal crimes) and that are subject to specific conditions and limitations. This is consistent with US President Biden’s executive order “Enhancing Safeguards for United States Signals Intelligence Activities” of 7 October 2022.
- Redress and rights protection mechanisms are in place for data subjects, who are given the opportunity to complain directly to the companies participating in the Framework. Alternatively, data subjects may turn to the independent dispute resolution body designated by the companies. Further dispute resolution mechanisms, both judicial and arbitration, are also provided for. For example, a specific ‘tribunal’ (so-called Data Protection Review Court – DPRC) has been set up to deal with complaints concerning the violation of US federal laws on intelligence services. In such cases, EU citizens are required to file a petition with the national Data Protection Authority, which, in consultation with the European Data Protection Board, forwards the requests to the Civil Liberties Protection Officer of the intelligence service.
- An enforcement regime is established whereby companies adhering to the Framework are subject to the specific investigative and oversight powers of the relevant US authorities (e.g., Federal Trade Commission and DoC).
The Framework has already been criticized and ‘challenged’. A relevant voice is that of Maximilian Schrems’ association noyb, which criticised the decision in its substance and called for a change on the US side.
“We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.”
With regards to the legitimacy of the Framework, noyb is already preparing to challenge the decision at the CJEU, foreseeing that it will be declared invalid just as previous measures and hence only creating an illusion of protection. Maximilian Schrems added:
“We have various options for a challenge already in the drawer, although we are sick and tired of this legal ping-pong. We currently expect this to be back at the Court of Justice by the beginning of next year. The Court of Justice could then even suspend the new deal while it is reviewing the substance of it. For the sake of legal certainty and the rule of law we will then get an answer if the Commission’s tiny improvements were enough or not. For the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal – we seem to just add another two years of this ping-pong now.”
Finally, on the role of the European Commission prioritizing diplomatic relations over the rule of law (i.e., implementing measures that are systemically invalidated for the sake of US-EU relations), Schrems stated:
“The Commission is meant to be the ‘guardian of the treaties’ and the defender or the ‘rule of law’. It loves that role when it comes to Member States violating EU law. Now the Commission itself simply ignores the Court of Justice for the third time.“